information security cs 526...cs526 topic 17: blp 2 readings for this lecture • wikipedia •...
TRANSCRIPT
CS526 Topic 17: BLP 1
Information Security
CS 526 Topic 17
The Bell LaPadula Model
CS526 Topic 17: BLP 2
Readings for This Lecture
• Wikipedia • Bell-LaPadula model
• David E. Bell: Looking Back at the
Bell-La Padula Model
Access Control at Different
Abstractions
• Using principals
– Determines which principals (user accounts) can
access what documents
• Using subjects
– Determines which subjects (processes) can access
what resources
– This is where BLP focuses on
CS526 Topic 17: BLP 3
CS526 Topic 17: BLP 4
Multi-Level Security (MLS)
• There are security classifications or security levels – Users/principals/subjects have security clearances
– Objects have security classifications
• Example of security levels – Top Secret
– Secret
– Confidential
– Unclassified
• In this case Top Secret > Secret > Confidential > Unclassified
• Security goal (confidentiality): ensures that information do not flow to those not cleared for that level
CS526 Topic 17: BLP 5
Multi-level Security (MLS)
• The capability of a computer system to carry
information with different sensitivities (i.e.
classified information at different security levels),
permit simultaneous access by users with
different security clearances and needs-to-know,
and prevent users from obtaining access to
information for which they lack authorization.
– Discretionary access control fails to achieve MLS
• Typically use Mandatory Access Control
• Primary Security Goal: Confidentiality
CS526 Topic 17: BLP 6
Mandatory Access Control
• Mandatory access controls (MAC) restrict
the access of subjects to objects based on
a system-wide policy
– denying users full control over the access to
resources that they create. The system
security policy (as set by the administrator)
entirely determines the access rights granted
CS526 Topic 17: BLP 7
Bell-LaPadula Model: A MAC Model
for Achieving Multi-level Security
• Introduce in 1973
• Air Force was concerned with security in time-sharing systems – Many OS bugs
– Accidental misuse
• Main Objective: – Enable one to formally show that a computer system
can securely process classified information
CS526 Topic 17: BLP 8
What is a Security Model?
• A model describes the system
– e.g., a high level specification or an abstract machine
description of what the system does
• A security policy
– defines the security requirements for a given system
• Verification techniques that can be used to show
that a policy is satisfied by a system
• System Model + Security Policy = Security Model
CS526 Topic 17: BLP 9
Approach of BLP
• Use state-transition systems to describe computer systems
• Define a system as secure iff. every reachable state satisfies 3 properties – simple-security property, *-property, discretionary-
security property
• Prove a Basic Security Theorem (BST) – so that give the description of a system, one can prove
that the system is secure
CS526 Topic 17: BLP 10
The BLP Security Model
• A computer system is modeled as a state-
transition system
– There is a set of subjects; some are designated as
trusted.
– Each state has objects, an access matrix, and the
current access information.
– There are state transition rules describing how a
system can go from one state to another
– Each subject s has a maximal sec level Lm(s), and a
current sec level Lc(s)
– Each object has a classification level
Elements of the BLP Model
CS526 Topic 17: BLP 11
Subjects
Trusted
Subjects
Objects
Current
Accesses
Security levels, e.g.: {TS, S, C, U}
Lm: Max
Sec. Level L: Class.
Level
Lc: Current
Sec. Level
Access Matrix
CS526 Topic 17: BLP 12
The BLP Security Policy
• A state is secure if it satisfies
– Simple Security Condition (no read up):
• S can read O iff Lm(S) ≥ L(O)
– The Star Property (no write down): for any S that is not
trusted
• S can read O iff Lc(S) ≥ L(O) (no read up)
• S can write O iff Lc(S) ≤ L(O) (no write down)
– Discretionary-security property
• every access is allowed by the access matrix
• A system is secure if and only if every reachable
state is secure.
Implication of the BLP Policy
CS526 Topic 17: BLP 13
Highest
Can Read & Write
Lowest
Subject Max Level
Current
Level
Can
Write
Can
Read
Objects
CS526 Topic 17: BLP 14
STAR-PROPERTY
• Applies to subjects not to principals and users
• Users are trusted (must be trusted) not to disclose secret information outside of the computer system
• Subjects are not trusted because they may have Trojan Horses embedded in the code they execute
• Star-property prevents overt leakage of information and does not address the covert channel problem
CS526 Topic 17: BLP 15
Is BLP Notion of Security Good?
• The objective of BLP security is to ensure
– a subject cleared at a low level should never read
information classified high
• The ss-property and the *-property are sufficient
to stop such information flow at any given state.
• What about information flow across states?
CS526 Topic 17: BLP 16
BLP Security Is Not Sufficient!
• Consider a system with s1,s2,o1,o2 – fS(s1)=fC(s1)=fO(o1)=high
– fS(s2)=fC(s2)=fO(o2) =low
• And the following execution – s1 gets access to o1, read something, release access,
then change current level to low, get write access to o2, write to o2
• Every state is secure, yet illegal information exists
• Solution: tranquility principle: subject cannot change current levels, or cannot drop to below the highest level read so far
CS526 Topic 17: BLP 21
Main Contributions of BLP
• The overall methodology to show that a system is secure – adopted in many later works
• The state-transition model – which includes an access matrix, subject security
levels, object levels, etc.
• The introduction of *-property – ss-property is not enough to stop illegal information
flow
CS526 Topic 17: BLP 22
Other Limitations with BLP
• Deal only with confidentiality, does not deal with integrity at all – Confidentiality is often not as important as integrity in
most situations
– Addressed by integrity models (such as Biba, Clark-Wilson, which we will cover later)
• Does not deal with information flow through covert channels
CS526 Topic 17: BLP 23
Overt (Explicit) Channels vs. Covert
Channels
• Security objective of MLS in general, BLP in particular – high-classified information cannot flow to low-cleared
users
• Overt channels of information flow – read/write an object
• Covert channels of information flow – communication channel based on the use of system
resources not normally intended for communication
between the subjects (processes) in the system
CS526 Topic 17: BLP 24
Examples of Covert Channels
• Using file lock as a shared boolean variable
• By varying its ratio of computing to input/output
or its paging rate, the service can transmit
information to a concurrently running process
• Timing of packets being sent
• Covert channels are often noisy
• However, information theory and coding theory
can be used to encode and decode information
through noisy channels
CS526 Topic 17: BLP 25
More on Covert Channels
• Covert channels cannot be blocked by *-property
• It is generally very difficult, if not impossible, to block all covert channels
• One can try to limit the bandwidth of covert channels
• Military requires cryptographic components be implemented in hardware – to avoid trojan horse leaking keys through covert
channels
CS526 Topic 17: BLP 26
More on MLS: Security Levels
• Used as attributes of both subjects & objects
– clearance & classification
• Typical military security levels:
– top secret secret confidential unclassified
• Typical commercial security levels
– restricted proprietary sensitive public
CS526 Topic 17: BLP 27
Security Categories
• Also known as compartments
• Typical military security categories
– army, navy, air force
– nato, nasa, noforn
• Typical commercial security categories
– Sales, R&D, HR
– Dept A, Dept B, Dept C
CS526 Topic 17: BLP 28
Security Labels
• Labels = Levels P (Categories)
• Define an ordering relationship among Labels
– (e1, C1) (e2, C2) iff. e1 e2 and C1 C2
• This ordering relation is a partial order
– reflexive, transitive, anti-symmetric
– e.g.,
• All security labels form a lattice
CS526 Topic 17: BLP 29
An Example Security Lattice
• levels={top secret, secret}
• categories={army,navy}
Top Secret, {army, navy}
Top Secret,
{army}
Top Secret,
{navy}
Secret, {army,
navy}
Top Secret, {} Secret, {army} Secret, {navy}
Secret, {}
CS526 Topic 17: BLP 31
Coming Attractions …
• Non-interference and non-
deducability